Just under half of UK IT directors are breaking the Data Protection Act and putting customer data at risk, according to a study by IT management firm Compuware.
The report found that 44 of the 100 IT directors questioned use live customer information to test applications.
Such an action counts as 'using data for purposes other than those for which it was collected' and risks prosecution under the Data Protection Act.
As well as the legal implications, using live data also risks information being leaked to malicious sources.
"While 83 per cent of those surveyed are using non-disclosure agreements to control data usage when outsourcing, a lot of the time this doesn't mean anything to the outsourcers as it can be tough to communicate legal jargon to employees," said a Compuware spokesman.
"Selling confidential data can also pay a lot more than employees would normally earn in a month, so compared to the relatively small risk of being caught and prosecuted, a non-disclosure agreement is not going to mean very much."
Despite the Data Protection Act being passed in 1998, some 48 per cent of senior IT decision makers admitted to being only "vaguely familiar" with the legislation.
"Companies have had plenty of time to understand and implement robust data privacy measures since the Act was introduced eight years ago," said Ian Clarke, worldwide enterprise director at Compuware.
"Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation, and will ultimately affect the bottom line."
Clarke pointed to laws in the US that force organisations publicly to disclose when customer data has been leaked, and said that he expected similar legislation to follow in the UK at some point.
UK firms gamble with customer data
By Matt Chapman on Jul 5, 2006 10:00AM